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Disposition of Claims 

4) ^ Claim(s) 1-20 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 
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DETAILED ACTION 

1 . This office action is in reply to an amendment filed on December 22, 2008 and an election filed on 
May 21, 2009. Claims 1-20 have been amended and elected. 

2. Claims 21-22 have been canceled. 

3. Claims 1-20 are pending. 

Election/Restrictions 

4. Applicant's representative has responded to the restriction requirement sent on April 15, 2009 by 
cancelling claims 21 and 22 (inventions listed as group II); and therefore, claims 1-20 (invention listed as 
group I) are pending; and are examined. 

Response to Amendment 

5. Applicant's arguments filed on December 22, 2009, with respect to claims 1-20 have been fully 
considered but they are moot in view of new ground(s) of rejection. 

Claim Rejections - 35 USC § 103 

6. The following is a quotation of 35 U.S. C. 103(a) which forms the basis for all obviousness 
rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 
1 02 of this litle, if the differences between the subject mailer sought to be patented and the prior an are such thai the 
subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill 
in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the 

7. Claims 1-6, 9-10, 13 and 17 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Hursey et al (Hursey) (US Pub. No. 2003/0074573) in view of Marwaha (US Pub. No. 2004/0181685). 



As per claim 1 Hursey discloses: 

A computer-implemented malware detection system for determining whether an executable script 
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is malware according to its functionality, the malware detection system comprising: (page 1, paragraph 2, 
this invention relates to the field of data processing systems. More particularly, this invention relates to 
scanning for malware, such as, for example, computer viruses, Trojans, worms, banned files and banned 
words within e-mail messages). 

A malware signature store including at least one known malware script signature, wherein each 
malware signature in the malware signature store is a normalized signature of a known malware script; 
(page 2, paragraph 22, the anti-virus scanning system 8 incorporates the virus definitions 12 in the form 
of uncompressed virus signatures (malware signatures) 17. These virus signatures 17 might typically 
correspond to a sequence of twenty or so byte values that are indicative of a particular piece of malware. 
These uncompressed virus signatures 17 may be compressed using the coding table from the 
compressed computer file 16 to yield compressed virus signatures 18) and (page 2, paragraph 28, It 
would also be possible to compress all the uncompressed virus signatures as one task and then use this 
library of compressed virus signatures to search the compressed computer file). 

Wherein the malware detection system is configured to: compare the normalized signature of tile 
executable script to the at least one normalized malware signature in the malware signature store to 
determine whether the executable script is malware; (abstract, line 1-6, A malware scanner (8) operates 
to scan compressed computer files (16) by compressing the malware signatures (17) using the same 
compression algorithm as used for the compressed computer file and then comparing the compressed 
malware signatures (18) with the compressed computer file directly). According to Hursey, the signature 
of known virus is compressed in order to change the signature to a common format as the incoming 
compressed computer files. 

Report whether the executable script is malware according to the determination. (Page 2, 
paragraph 26, Step 38 determines whether or not a match has occurred between the compressed virus 
signature and the compressed computer file. If a match has occurred, then the anti-virus actions are 
triggered at step 40. These anti-virus actions may include deletion, quarantine, repair, alert message 
generation etc). 



Application/Control Number: 10/769,104 Page 4 

Art Unit: 2434 

A normalization module that obtains an executable script and generates a normalized signature 
for the executable script, wherein generating a normalized signature for the executable script comprises 
translating tokens from the executable script into normalized tokens conforming to a common format; 
(abstract, line 1-6, A malware scanner (8) operates to scan compressed computer files (16) by 
compressing the malware signatures (17) using the same compression algorithm as used for the 
compressed computer file and then comparing the compressed malware signatures (18) with the 
compressed computer file directly). 

Hursey does not explicitly disclose about normalization module. However, in the same field of 
endeavor, Marwaha teach this limitation as, (page 12, paragraph 142, at 1102, the message is 
normalized for example, by extracting necessary information from the message and formatted into a 
standard format or a token. An index is also assigned to the standardized token. At 1 106, additional 
information is added to the standardized token) and (abstract, line 1-4, a common event format 
associated with unique index value is provided to allow a common structure to rules, regardless of from 
which system the message is originating. Messages coming from different sources into an enterprise 
manager are tokenized to contain essential information, and standardized into a common event format). 

Therefore, it would have been obvious to one of ordinary skill in the art, at the time of the 
invention was made, to modify the teaching of Hursey and include the normalization module using the 
teaching of Marwaha in order to standardized the incoming data from various source and generate a 
normalized data in a common format. 

Claims 3, 4 and 5 are rejected under the same reason set forth in rejection of claim 1 : 

As per claim 2 Hursey in view of Marwaha discloses: 

The malware detection system of Claim 1, further comprising a comparison module, wherein the 
comparison module compares the normalized signature of the executable script to the at least one 
normalized malware signature in the malware signature store, (abstract, line 1-6, A malware scanner (8) 
operates to scan compressed computer files (16) by compressing the malware signatures (17) using the 
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same compression algorithm as used for the compressed computer file and then comparing the 
compressed malware signatures (18) with the compressed computer file directly). 

Claims 10, 13 and 17 are rejected under the same reason set forth in rejection of claim 2: 

As per claim 6 Hursey in view of Marwaha discloses: 

The malware detection system of Claim2, wherein translating tokens from the executable script 
into a common format suitable for comparison with the at least one malware signature in the malware 
signature store comprises renaming tokens from the executable script according to a common naming 
convention. (Page 2, paragraph 22, the anti-virus scanning system 8 incorporates the virus definitions 12 
in the form of uncompressed virus signatures (malware signatures) 17. These virus signatures 17 might 
typically correspond to a sequence of twenty or so byte values that are indicative of a particular piece of 
malware. These uncompressed virus signatures 17 may be compressed using the coding table from the 
compressed computer file 16 to yield compressed virus signatures 18). 

As per claim 9 Hursey in view of Marwaha discloses: 

The malware detection system of Claim 6, wherein generating a normalized signature for the 
executable script further comprises generating a set of normalized tokens for each routine in the 
executable script. (Abstract, line 1-6, A malware scanner (8) operates to scan compressed computer files 
(16) by compressing the malware signatures (17) using the same compression algorithm as used for the 
compressed computer file and then comparing the compressed malware signatures (18) with the 
compressed computer file directly). 

Allowable Subject Matter 

8. Claims 7-8, 11-12, 14-16, 18-20 are objected to as being dependent upon a rejected base claim, 
but would be allowable if rewritten in independent form including all of the limitations of the base claim 
and any intervening claims. 
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Conclusion 

9. Applicant's amendment necessitated the new ground(s) of rejection presented in this Office 
action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of 
the extension of time policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE MONTHS from 
the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date 
of this final action and the advisory action is not mailed until after the end of the THREE-MONTH 
shortened statutory period, then the shortened statutory period will expire on the date the advisory action 
is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later than SIX 
MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should 
be directed to TESHOME HAILU whose telephone number is (571)270-3159. The examiner can normally 
be reached on Mon-Fri 7:30a.m. to 5:00p.m. EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
Kambiz Zand can be reached on (571) 272-3811. The fax phone number for the organization where this 
application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent Application 
Information Retrieval (PAIR) system. Status information for published applications may be obtained from 
either Private PAIR or Public PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) 
at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative 
or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272- 
1000. 
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